chore: Pin GitHub Actions to commit SHA

[alexsohn1126]

Closes #4540

Problem

According to GitHub Actions security best practices, we should pin actions to a full-length commit SHA.

#skip-changelog

---

Note

Pins all CI actions and reusable workflows to specific commit SHAs across GitHub workflows and the buildnative composite action.

• CI Workflows:
  • Pin commonly used actions to commit SHAs: actions/checkout@v5, actions/cache@v4 (and cache/restore), actions/upload-artifact@v4, actions/download-artifact@v5, codecov/codecov-action, microsoft/setup-msbuild.
  • Pin Docker-related actions: docker/login-action, docker/setup-qemu-action, docker/setup-buildx-action, docker/build-push-action.
  • Pin analysis/testing actions: github/codeql-action/{init,analyze}, gradle/actions/setup-gradle, reactivecircus/android-emulator-runner, styfle/cancel-workflow-action.
  • Pin reusable workflows and org actions: getsentry/github-workflows (danger, updater), getsentry/action-prepare-release, getsentry/github-workflows/sentry-cli/integration-test.
• Composite Action (.github/actions/buildnative):
  • Replace actions/cache@v3 with pinned actions/cache@v4 SHAs for C and Android supplemental builds.

^{Written by Cursor Bugbot for commit 4783fed. This will update automatically on new commits. Configure here.}

[Flash0ver]

@sentry review

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.47%. Comparing base (6ea6bf4) to head (6e09784).
⚠️ Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4562      +/-   ##
==========================================
+ Coverage   73.34%   73.47%   +0.12%     
==========================================
  Files         479      482       +3     
  Lines       17509    17679     +170     
  Branches     3445     3495      +50     
==========================================
+ Hits        12842    12989     +147     
- Misses       3788     3799      +11     
- Partials      879      891      +12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[alexsohn1126]

@sentry review

[alexsohn1126]

bugbot review

[jpnurmi]

👍 for pinning all those 3rd party Docker actions etc. but I'd vote for leaving the official actions/xxx as they are, since these are owned and maintained by GitHub...

[jpnurmi]

Some remaining tags in .github/actions/environment/action.yml:

sentry-dotnet/.github/actions/environment/action.yml

Line 49 in 4783fed

uses: actions/setup-java@v4

sentry-dotnet/.github/actions/environment/action.yml

Line 65 in 4783fed

uses: actions/setup-java@v4

sentry-dotnet/.github/actions/environment/action.yml

Line 88 in 4783fed

uses: actions/setup-dotnet@v4

[Flash0ver]

And one more comment missing ... for consistency:

sentry-dotnet/.github/actions/freediskspace/action.yml

Line 9 in fc55d48

uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8

-uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8
+uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8 # v1.3.0

[jamescrosswell]

I'm definitely not a fan of this change. If everyone else really wants to do this, then I'll go with the flow, but I far prefer the readable tags/labels to the commit hashes... and the problem we're trying to solve here seems like a highly unlikely hypothetical problem.

Do we know anyone who has been scorched by this?

[alexsohn1126]

https://snyk.io/blog/reconstructing-tj-actions-changed-files-github-actions-compromise/

@jamescrosswell This seems to be an example of what a possible attack could look like.

[jamescrosswell]

https://snyk.io/blog/reconstructing-tj-actions-changed-files-github-actions-compromise/

@jamescrosswell This seems to be an example of what a possible attack could look like.

I see... depressing.

That will make it much harder to review PRs. If I see a commit hash, the only way I have of verifying whether it's doing what we intend it to do is by going back to the repo where the action comes from, checking whether the appropriate label has been applied to that commit hash and also checking to make sure the commit hash doesn't correspond to an orphaned branch.

Probably not the kind of thing humans should be spending their time doing (and we wouldn't do it very reliably even if we tried).

[alexsohn1126]

I agree it's way more cumbersome to have commit hashes instead of version tags.

Dependabot automates the actual updates, but that doesn't change the fact that we (should) review those PRs. I think it is worth the extra security in my opinion though.

Other repos in Sentry also pin official GitHub Actions - such as checkout - to a commit SHA. In getsentry/sentry: https://github.com/getsentry/sentry/blob/master/.github/workflows/codecov_ats.yml#L34

Note:

something I found during my research - Open Source Security Foundation (OSSF) recommends people to pin GH Actions to commit SHAs too. See second last point in Remediation steps section:

https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

I'm not saying OSSF is a omnipresent source for GitHub Action security, but with 5k stars, seems pretty reputable.

Just for fun, you can see sentry-dotnet's "security score" using their website: https://scorecard.dev/viewer/?uri=github.com/getsentry/sentry-dotnet